Computer in a Workgroup Access in a Domain Setting

I noticed that when a new computer is being built [Windows 2000, Windows XP
or even a Windows 2003], and before it is added to the domain, it can access
resources on a file server [a Windows 2000 server].
The domain is Windows 2003 functional.
How can that be tightened down?

You will have to specifiy what "access resources" means. Just being able to
see the shares listed in Network Places or in Explorer is not the same as
accessing them. Any Workgroup machine can access shares if the right domain
credentials are manually given. Giving "Everyone" permission would not do
it because in the context of the domain "Everyone" means "Everyone on the
Domain" not "everyone in the world" so the "Everyone" on the Workgroup
machine would not fit into that.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"plane123" <plane123@discussions.microsoft.com> wrote in message
news:66F724E3-0057-4680-BAA1-5FBE62C081ED@microsoft.com...
> I noticed that when a new computer is being built [Windows 2000, Windows
XP
> or even a Windows 2003], and before it is added to the domain, it can
access
> resources on a file server [a Windows 2000 server].
> The domain is Windows 2003 functional.
> How can that be tightened down?

Phillip,
Thank you for replying.
When I access resources, I mean I actually map a drive.
For instance I can map a drive to \\computer\c$ and it let's me in.
The user I'm logged into on the machine at the time is usually the local
admin on the box.

"Phillip Windell" wrote:

> You will have to specifiy what "access resources" means. Just being able to
> see the shares listed in Network Places or in Explorer is not the same as
> accessing them. Any Workgroup machine can access shares if the right domain
> credentials are manually given. Giving "Everyone" permission would not do
> it because in the context of the domain "Everyone" means "Everyone on the
> Domain" not "everyone in the world" so the "Everyone" on the Workgroup
> machine would not fit into that.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
> "plane123" <plane123@discussions.microsoft.com> wrote in message
> news:66F724E3-0057-4680-BAA1-5FBE62C081ED@microsoft.com...
> > I noticed that when a new computer is being built [Windows 2000, Windows
> XP
> > or even a Windows 2003], and before it is added to the domain, it can
> access
> > resources on a file server [a Windows 2000 server].
> > The domain is Windows 2003 functional.
> > How can that be tightened down?
>
>
>

plane123 wrote:
> I noticed that when a new computer is being built [Windows 2000,
> Windows XP or even a Windows 2003], and before it is added to the
> domain, it can access resources on a file server [a Windows 2000
> server].
> The domain is Windows 2003 functional.
> How can that be tightened down?

Phillip Windell wrote:
> You will have to specifiy what "access resources" means. Just being
> able to see the shares listed in Network Places or in Explorer is
> not the same as accessing them. Any Workgroup machine can access
> shares if the right domain credentials are manually given. Giving
> "Everyone" permission would not do it because in the context of the
> domain "Everyone" means "Everyone on the Domain" not "everyone in
> the world" so the "Everyone" on the Workgroup machine would not fit
> into that.

plane123 wrote:
> When I access resources, I mean I actually map a drive.
> For instance I can map a drive to \\computer\c$ and it let's me in.
> The user I'm logged into on the machine at the time is usually the
> local admin on the box.

Look at the permissions on the file shares of your domain server. Are you
allowing only authenticated users to access them? If so - then only
somoneone passing proper domain credentials would be able to get to said
shares. This does NOT mean the machine(s) in questions have to be a member
of your domain to access the shares, just the users have to give their
domain credentials to do so.. (domain\username and password.)

That is assuming you mean \\computer\c$ is your domain servers and there
isn't a local user on the domain server (meaning it is not a DC) that has
the same username/password as the local user you are logged in as on the
computer in question.

--
Shenan Stanley
MS-MVP
--

Hello,

Just an idea, but perhaps the local admin you are logged in as on the
machine being built has the same username/password pair as the domain
administrator account? If you were to change the local admin password to
something different, or not set it the same during Windows setup, you
may not have this issue.

Dean

-----Original Message-----
From: plane123 [mailto:plane123@discussions.microsoft.com]
Posted At: Wednesday, 22 June 2005 4:55 a.m.
Posted To: microsoft.public.security
Conversation: Computer in a Workgroup Access in a Domain Setting
Subject: Re: Computer in a Workgroup Access in a Domain Setting

Phillip,
Thank you for replying.
When I access resources, I mean I actually map a drive.
For instance I can map a drive to \\computer\c$ and it let's me in.
The user I'm logged into on the machine at the time is usually the local

admin on the box.

"Phillip Windell" wrote:

> You will have to specifiy what "access resources" means. Just being
able to
> see the shares listed in Network Places or in Explorer is not the same
as
> accessing them. Any Workgroup machine can access shares if the right
domain
> credentials are manually given. Giving "Everyone" permission would
not do
> it because in the context of the domain "Everyone" means "Everyone on
the
> Domain" not "everyone in the world" so the "Everyone" on the Workgroup
> machine would not fit into that.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
> "plane123" <plane123@discussions.microsoft.com> wrote in message
> news:66F724E3-0057-4680-BAA1-5FBE62C081ED@microsoft.com...
> > I noticed that when a new computer is being built [Windows 2000,
Windows
> XP
> > or even a Windows 2003], and before it is added to the domain, it
can
> access
> > resources on a file server [a Windows 2000 server].
> > The domain is Windows 2003 functional.
> > How can that be tightened down?
>
>
>